Officials say the forfeited Bitcoin is linked to Aleksandr Sikerin, whose last-known address placed him in the Russian city of Saint Petersburg.
The FBI has seized 39 BTC from a crypto wallet that is believed to belong to a man allegedly involved in ransomware attacks.
Newly unsealed legal documents show the stash — worth $2.2 million at the time of writing — was seized from an Exodus account in August.
Officials say the forfeited Bitcoin is linked to Aleksandr Sikerin, whose last-known address placed him in the Russian city of Saint Petersburg.
The court filings state that ransomware attacks orchestrated by the REvil group generated more than $200 million in payments from victims — and the seized Bitcoin "was derived from, and is traceable to, ransomware attacks committed by Sikerin."
It is believed Sikerin was an affiliate, a small cog in a vast network. While REvil was responsible for developing the malicious software that would encrypt a victim's files — as well as the infrastructure where ransomware payments would be made — affiliates were responsible for performing the hacks and stealing the data.
According to Bleeping Computer, which first reported on the confiscation, affiliates earn 70% to 80% of the ransom.
Listen to the CoinMarketRecap podcast on Apple Podcasts, Spotify and Google Podcasts
Fighting Back
Back in October, REvil was reportedly forced offline by a multi-country operation — giving the ransomware group a taste of its own medicine after it orchestrated a number of high-profile attacks.
As well as targeting the Colonial Pipeline — causing gas shortages across the U.S. — hundreds of supermarkets were forced to close in Sweden after the software company Kaseya was crippled in a separate incident.
According to Reuters, law enforcement and cyber specialists were able to hack REvil’s infrastructure earlier this year and take control of some of its servers.
REvil’s websites were later restored from a backup — but this resulted in internal systems controlled by law enforcement also being reactivated.
After the "significant disruptive action" emerged, a number of the group's leaders went into hiding — with one writing:
"The server was compromised, and they were looking for me. Good luck, everyone; I’m off."
